A personal information processor shall, according to the purpose and method of processing personal information, type of personal information, impact on individual’s right and interest, and possible security risk, etc., take the following measures to ensure the compliance of personal information processing activities with provisions of laws and administrative regulations, and prevent unauthorized visit, or leakage, falsification, and loss of personal information:
(I) formulating internal management system and operational procedures;
(II) managing personal information by classification;
(III) taking corresponding technical security measures such as encryption and de-identification;
(IV) reasonably determining the authority to process personal information and conduct security education and training for employees on a regular basis;
(V) formulating and organizing the implementation of emergency plans for personal information security incidents; and
(VI) other measures as prescribed by laws and administrative regulations.
Where the quantity of personal information processed by a processor reaches that specified by the State cyberspace administration, the processor shall designate a person in charge of personal information protection to be responsible for supervising the processing of personal information and the adopted protection measures.
A personal information processor shall make public the contact information of the person in charge of personal information protection and submit the name and contact information of the person in charge of personal information protection to the department performing duties of personal information protection.
Any personal information processor outside the territory of the People’s Republic of China as prescribed in Paragraph 2, Article 3 hereof shall establish a special agency or designate a representative within the territory of the People’s Republic of China to be responsible for relevant matters of personal information protection, and submit the name and contact information of relevant agency or the representative to the department performing duties of personal information protection.
A personal information processor shall regularly audit whether its processing of personal information is in compliance with provisions of laws and administrative regulations.
A personal information processor shall conduct personal information protection impact assessment of the following circumstances in advance and keep a record of the processing:
(I) processing sensitive personal information;
(II) making use of personal information to make automatic decisions;
(III) entrusting others to process personal information, providing other personal information processors with personal information, and disclosing personal information;
(IV) providing personal information to overseas parties; and
(V) other personal information processing activities that have a significant impact on individuals’ rights and interests.
The personal information protection impact assessment shall include the following:
(I) whether the purpose and method of processing personal information are legitimate, justifiable, and necessary;
(II) impact on individuals’ rights and interests and the security risks; and
(III) whether the security protection measures taken are legitimate, effective, and appropriate to the degree of risks.
The personal information protection assessment report and processing record shall be kept for at least three years.
Where personal information has been or may be leaked, falsified, or lost, the personal information processor shall immediately take remedial measures and inform the department performing duties of personal information protection and the individuals concerned. The notice shall include the following particulars:
(I) types and causes of personal information leakage, falsification, and loss that have occurred or may occur and the possible harm caused;
(II) remedial measures taken by personal information processors and measures taken by individuals to mitigate harm;
(III) contact information of the personal information processor.
If the personal information processor has taken measures to effectively avoid harm caused by information leakage, falsification, or loss, it may opt not to notify the individuals; however, if the department performing duties of personal information protection believes harm shall be caused, it may require the personal information processor to notify the individuals thereof.
Personal information processors that provide important Internet platform services with a large number of users and complex business types shall perform the following obligations:
(I) Establish and improve the compliance system for personal information protection in accordance with state regulations, and establish an independent organization composed mainly of external members to protect personal information;
(II) Formulate the rules of the platform in accordance with the principles of openness, fairness, and justice, to clarify the norms for the processing of personal information and the obligations of the product or service providers within the platform to protect personal information;
(III) Stop providing services to the product or service providers on the platform that seriously violate laws and administrative regulations in processing personal information;
(IV) Regular release of social responsibility report regarding personal information protection and subject to public supervision.
The party entrusted to process personal information shall fulfill the relevant obligations prescribed by this Law and other relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information processed, and assist personal information processors to fulfill their obligations under this Law.